Quiet Waters Blog

Are You Secure? Are You Sure?

Two things happened to me recently that got me thinking about security. One is that I had an in-depth talk with one of AWWA’s experts in security while at the American Water Works Association's annual conference (ACE) last week. The other was a chance to review a research paper on water security for a colleague. I started to wonder, how many of you are secure? Are you sure about that?

I have heard quite a few people start to talk about security and immediately go to September 11 and terrorist threats. This is where I normally tune out. After all, there is a bit of hysteria around terrorism, and some is overplayed.

Don’t get me wrong, I am not saying that terrorism is irrelevant to water and wastewater. I'm saying that it has to be managed. We have to remember what terrorists want ─ to strike fear into all of us. To do this, they will strike targets with big impact and good media coverage. If you are an operator in a large city such as New York, Detroit, or Seattle, then yes, you have to worry about it. Terrorism also is a concern if your plant is located in a high-profile town, such as a major amusement park in Florida or an upper-class Colorado ski resort. But, if you are an operator in a rural farming town, terrorism is not so much of a concern but it doesn't let you off the hook, either.

Smaller facilities still have to worry about security breaches, which can be broken down into two categories: malicious and non-malicious.

Malicious breaches are done by terrorists or, more likely, disgruntled individuals. Attacks can be virtual, such as a computer virus, Trojan, or worm, and these can be prevented by good security software and network access policies. The individual can be a greater concern because he or she might act out in anger or exploit your facility's weakness without taking the time to study the facility. Although the risk of damage from a malicious attack is quite high, the incidence of occurrence is low.

In non-malicious breaches of security, the individual does not intend to harm the facility but does just the same. One of the people I talked to at ACE last week told me that an operator tried to load his favorite computer game onto the SCADA computer, which crashed the system. Yes, the person acted in poor judgment, and yes, the person’s behavior needs to be addressed, but he probably did not intend to harm the facility. Another case happened to me directly. A contractor plugged a drill into the socket inside a control panel my company supplied. The drill's brushes were well worn, and the resulting back feed of low-level harmonics took out a PLC power supply, rendering automatic control from that panel useless. Usually damage from this type of breach is minor, but the incidence of occurrence is high.

So how do you protect your facility? Start with the non-malicious breach. This also will lay a nice foundation for protection against the malicious attacker. For the specific steps, you should contact a security expert for recommendations.

Also, be aware that security requirements are changing. The government is looking at ways to tighten SCADA security. From what I have been told, the focus on the SCADA security initiative is on energy utilities. However, the recommendations are probably binding to all SCADA systems. It is possible that each municipality will have to adopt measures that were developed for larger systems.

With the impact that we have on our communities, we all need to ask ourselves if we are secure. The answer to this question should always be “No.” Then we need to ask what we can do to make ourselves secure. After all, as Edmund Burke said in the 18th century, it is “Better to be despised for too anxious apprehensions, than ruined by too confident security.”